lila/app/controllers/OAuth.scala

package controllers

import cats.data.Validated
import play.api.data.Form
import play.api.data.Forms._
import play.api.libs.json.Json
import play.api.mvc._
import scalatags.Text.all.stringFrag
import views._

import lila.api.Context
import lila.common.HTTPRequest
import lila.app._
import lila.oauth.{ AccessToken, AccessTokenRequest, AuthorizationRequest }

final class OAuth(env: Env) extends LilaController(env) {

  private def reqToAuthorizationRequest(req: RequestHeader) =
    AuthorizationRequest.Raw(
      clientId = get("client_id", req),
      responseType = get("response_type", req),
      redirectUri = get("redirect_uri", req),
      state = get("state", req),
      codeChallengeMethod = get("code_challenge_method", req),
      codeChallenge = get("code_challenge", req),
      scope = get("scope", req)
    )

  private def withPrompt(f: AuthorizationRequest.Prompt => Fu[Result])(implicit ctx: Context) =
    reqToAuthorizationRequest(ctx.req).prompt match {
      case Validated.Valid(prompt) => f(prompt)
      case Validated.Invalid(error) =>
        BadRequest(html.site.message("Bad authorization request")(stringFrag(error.description))).fuccess
    }

  def authorize =
    Open { implicit ctx =>
      withPrompt { prompt =>
        fuccess(ctx.me.fold(Redirect(routes.Auth.login.url, Map("referrer" -> List(ctx.req.uri)))) { me =>
          Ok(
            html.oAuth.authorize(prompt, me, s"${routes.OAuth.authorizeApply}?${ctx.req.rawQueryString}")
          )
        })
      }
    }

  def legacyAuthorize =
    Action { req =>
      MovedPermanently(s"${routes.OAuth.authorize}?${req.rawQueryString}")
    }

  def authorizeApply =
    Auth { implicit ctx => me =>
      withPrompt { prompt =>
        prompt.authorize(me, env.oAuth.legacyClientApi.apply) flatMap {
          case Validated.Valid(authorized) =>
            env.oAuth.authorizationApi.create(authorized) map { code =>
              SeeOther(authorized.redirectUrl(code))
            }
          case Validated.Invalid(error) => SeeOther(prompt.redirectUri.error(error, prompt.state)).fuccess
        }
      }
    }

  private val accessTokenRequestForm = Form(
    mapping(
      "grant_type"    -> optional(text),
      "code"          -> optional(text),
      "code_verifier" -> optional(text),
      "client_id"     -> optional(text),
      "redirect_uri"  -> optional(text),
      "client_secret" -> optional(text)
    )(AccessTokenRequest.Raw.apply)(AccessTokenRequest.Raw.unapply)
  )

  def tokenApply =
    Action.async(parse.form(accessTokenRequestForm)) { implicit req =>
      req.body.prepare match {
        case Validated.Valid(prepared) =>
          env.oAuth.authorizationApi.consume(prepared) flatMap {
            case Validated.Valid(granted) =>
              env.oAuth.tokenApi.create(granted) map { token =>
                Ok(
                  Json
                    .obj(
                      "token_type"   -> "Bearer",
                      "access_token" -> token.plain.secret
                    )
                    .add("expires_in" -> token.expires.map(_.getSeconds - nowSeconds))
                )
              }
            case Validated.Invalid(err) => BadRequest(err.toJson).fuccess
          }
        case Validated.Invalid(err) => BadRequest(err.toJson).fuccess
      }
    }

  def legacyTokenApply =
    Action.async(parse.form(accessTokenRequestForm)) { implicit req =>
      req.body.prepareLegacy(AccessTokenRequest.BasicAuth from req) match {
        case Validated.Valid(prepared) =>
          env.oAuth.authorizationApi.consume(prepared) flatMap {
            case Validated.Valid(granted) =>
              env.oAuth.tokenApi.create(granted) map { token =>
                Ok(
                  Json
                    .obj(
                      "token_type"    -> "Bearer",
                      "access_token"  -> token.plain.secret,
                      "refresh_token" -> s"invalid_for_bc_${lila.common.ThreadLocalRandom.nextString(17)}"
                    )
                    .add("expires_in" -> token.expires.map(_.getSeconds - nowSeconds))
                )
              }
            case Validated.Invalid(err) => BadRequest(err.toJson).fuccess
          }
        case Validated.Invalid(err) => BadRequest(err.toJson).fuccess
      }
    }

  def tokenRevoke =
    Scoped() { implicit req => _ =>
      HTTPRequest.bearer(req) ?? { token =>
        env.oAuth.tokenApi.revoke(token) inject NoContent
      }
    }

  private val revokeClientForm = Form(single("origin" -> text))

  def revokeClient =
    AuthBody { implicit ctx => me =>
      implicit def body = ctx.body
      revokeClientForm
        .bindFromRequest()
        .fold(
          _ => BadRequest.fuccess,
          origin => env.oAuth.tokenApi.revokeByClientOrigin(origin, me) inject NoContent
        )
    }

  def challengeTokens =
    ScopedBody(_.Web.Mod) { implicit req => me =>
      if (isGranted(_.ApiChallengeAdmin, me))
        lila.oauth.OAuthTokenForm.adminChallengeTokens
          .bindFromRequest()
          .fold(
            err => BadRequest(apiFormError(err)).fuccess,
            data =>
              env.oAuth.tokenApi.adminChallengeTokens(data, me).map { tokens =>
                JsonOk(tokens.view.mapValues(t => t.plain.secret).toMap)
              }
          )
      else Unauthorized(jsonError("Missing permission")).fuccess
    }
}
start work on authorize endpoint 2021-06-14 16:05:27 -06:00			`package controllers`

move some code out of controllers 2021-06-20 00:05:36 -06:00			`import cats.data.Validated`
create accessTokenRequestForm 2021-06-16 03:02:03 -06:00			`import play.api.data.Form`
			`import play.api.data.Forms._`
parse minimum data required to show prompt 2021-06-15 01:15:10 -06:00			`import play.api.libs.json.Json`
move some code out of controllers 2021-06-20 00:05:36 -06:00			`import play.api.mvc._`
login for oauth 2021-06-15 04:04:18 -06:00			`import scalatags.Text.all.stringFrag`
move some code out of controllers 2021-06-20 00:05:36 -06:00			`import views._`

login for oauth 2021-06-15 04:04:18 -06:00			`import lila.api.Context`
reimplement programmatic oauth token revocation (#6629) 2021-06-22 10:43:41 -06:00			`import lila.common.HTTPRequest`
move some code out of controllers 2021-06-20 00:05:36 -06:00			`import lila.app._`
remove oauth app crud 2021-07-01 03:13:57 -06:00			`import lila.oauth.{ AccessToken, AccessTokenRequest, AuthorizationRequest }`
start work on authorize endpoint 2021-06-14 16:05:27 -06:00
			`final class OAuth(env: Env) extends LilaController(env) {`

handle all authorization errors 2021-06-15 05:54:55 -06:00			`private def reqToAuthorizationRequest(req: RequestHeader) =`
			`AuthorizationRequest.Raw(`
return fake authorization code 2021-06-16 00:05:27 -06:00			`clientId = get("client_id", req),`
parse minimum data required to show prompt 2021-06-15 01:15:10 -06:00			`responseType = get("response_type", req),`
			`redirectUri = get("redirect_uri", req),`
			`state = get("state", req),`
			`codeChallengeMethod = get("code_challenge_method", req),`
add deprecation warning to legacy prompt 2021-06-28 03:57:44 -06:00			`codeChallenge = get("code_challenge", req),`
parse minimum data required to show prompt 2021-06-15 01:15:10 -06:00			`scope = get("scope", req)`
			`)`

handle all authorization errors 2021-06-15 05:54:55 -06:00			`private def withPrompt(f: AuthorizationRequest.Prompt => Fu[Result])(implicit ctx: Context) =`
			`reqToAuthorizationRequest(ctx.req).prompt match {`
			`case Validated.Valid(prompt) => f(prompt)`
			`case Validated.Invalid(error) =>`
			`BadRequest(html.site.message("Bad authorization request")(stringFrag(error.description))).fuccess`
			`}`
login for oauth 2021-06-15 04:04:18 -06:00
start work on authorize endpoint 2021-06-14 16:05:27 -06:00			`def authorize =`
			`Open { implicit ctx =>`
handle all authorization errors 2021-06-15 05:54:55 -06:00			`withPrompt { prompt =>`
			`fuccess(ctx.me.fold(Redirect(routes.Auth.login.url, Map("referrer" -> List(ctx.req.uri)))) { me =>`
add legacy oauth redirects 2021-06-28 02:36:57 -06:00			`Ok(`
remove oauth app crud 2021-07-01 03:13:57 -06:00			`html.oAuth.authorize(prompt, me, s"${routes.OAuth.authorizeApply}?${ctx.req.rawQueryString}")`
add legacy oauth redirects 2021-06-28 02:36:57 -06:00			`)`
handle all authorization errors 2021-06-15 05:54:55 -06:00			`})`
			`}`
			`}`

add legacy oauth redirects 2021-06-28 02:36:57 -06:00			`def legacyAuthorize =`
			`Action { req =>`
			`MovedPermanently(s"${routes.OAuth.authorize}?${req.rawQueryString}")`
			`}`

handle all authorization errors 2021-06-15 05:54:55 -06:00			`def authorizeApply =`
			`Auth { implicit ctx => me =>`
			`withPrompt { prompt =>`
add legacy oauth client collection 2021-06-28 01:38:07 -06:00			`prompt.authorize(me, env.oAuth.legacyClientApi.apply) flatMap {`
return real persistent authorization code 2021-06-16 01:11:42 -06:00			`case Validated.Valid(authorized) =>`
			`env.oAuth.authorizationApi.create(authorized) map { code =>`
do oauth redirect with 303 to force get method 2021-06-28 11:21:52 -06:00			`SeeOther(authorized.redirectUrl(code))`
return real persistent authorization code 2021-06-16 01:11:42 -06:00			`}`
do oauth redirect with 303 to force get method 2021-06-28 11:21:52 -06:00			`case Validated.Invalid(error) => SeeOther(prompt.redirectUri.error(error, prompt.state)).fuccess`
handle all authorization errors 2021-06-15 05:54:55 -06:00			`}`
			`}`
start work on authorize endpoint 2021-06-14 16:05:27 -06:00			`}`
wip access token endpoint 2021-06-16 02:11:35 -06:00
minor tweaks while reviewing pkce 2021-06-18 01:25:51 -06:00			`private val accessTokenRequestForm = Form(`
create accessTokenRequestForm 2021-06-16 03:02:03 -06:00			`mapping(`
implement grant with fake code verification 2021-06-16 07:45:49 -06:00			`"grant_type" -> optional(text),`
			`"code" -> optional(text),`
			`"code_verifier" -> optional(text),`
more relaxed legacy oauth validation (#9327) 2021-07-03 04:12:58 -06:00			`"client_id" -> optional(text),`
implement grant with fake code verification 2021-06-16 07:45:49 -06:00			`"redirect_uri" -> optional(text),`
more relaxed legacy oauth validation (#9327) 2021-07-03 04:12:58 -06:00			`"client_secret" -> optional(text)`
create accessTokenRequestForm 2021-06-16 03:02:03 -06:00			`)(AccessTokenRequest.Raw.apply)(AccessTokenRequest.Raw.unapply)`
			`)`

			`def tokenApply =`
draft acess token request api 2021-06-16 03:41:59 -06:00			`Action.async(parse.form(accessTokenRequestForm)) { implicit req =>`
			`req.body.prepare match {`
scalafmt 2021-06-16 07:55:42 -06:00			`case Validated.Valid(prepared) =>`
hack to get over the finish line 2021-06-16 08:27:51 -06:00			`env.oAuth.authorizationApi.consume(prepared) flatMap {`
			`case Validated.Valid(granted) =>`
move some code out of controllers 2021-06-20 00:05:36 -06:00			`env.oAuth.tokenApi.create(granted) map { token =>`
			`Ok(`
			`Json`
			`.obj(`
uppercase Bearer in token_type 2021-06-23 08:55:10 -06:00			`"token_type" -> "Bearer",`
refactor access token collection 2021-07-07 04:48:08 -06:00			`"access_token" -> token.plain.secret`
move some code out of controllers 2021-06-20 00:05:36 -06:00			`)`
			`.add("expires_in" -> token.expires.map(_.getSeconds - nowSeconds))`
minor tweaks 2021-06-16 13:07:52 -06:00			`)`
move some code out of controllers 2021-06-20 00:05:36 -06:00			`}`
hack to get over the finish line 2021-06-16 08:27:51 -06:00			`case Validated.Invalid(err) => BadRequest(err.toJson).fuccess`
scalafmt 2021-06-16 07:55:42 -06:00			`}`
implement grant with fake code verification 2021-06-16 07:45:49 -06:00			`case Validated.Invalid(err) => BadRequest(err.toJson).fuccess`
draft acess token request api 2021-06-16 03:41:59 -06:00			`}`
wip access token endpoint 2021-06-16 02:11:35 -06:00			`}`
show list of pkce oauth clients 2021-06-19 15:49:14 -06:00
more relaxed legacy oauth validation (#9327) 2021-07-03 04:12:58 -06:00			`def legacyTokenApply =`
			`Action.async(parse.form(accessTokenRequestForm)) { implicit req =>`
add bc for basic auth in legacy oauth flow 2021-07-05 03:29:22 -06:00			`req.body.prepareLegacy(AccessTokenRequest.BasicAuth from req) match {`
more relaxed legacy oauth validation (#9327) 2021-07-03 04:12:58 -06:00			`case Validated.Valid(prepared) =>`
			`env.oAuth.authorizationApi.consume(prepared) flatMap {`
			`case Validated.Valid(granted) =>`
			`env.oAuth.tokenApi.create(granted) map { token =>`
			`Ok(`
			`Json`
			`.obj(`
			`"token_type" -> "Bearer",`
refactor access token collection 2021-07-07 04:48:08 -06:00			`"access_token" -> token.plain.secret,`
more relaxed legacy oauth validation (#9327) 2021-07-03 04:12:58 -06:00			`"refresh_token" -> s"invalid_for_bc_${lila.common.ThreadLocalRandom.nextString(17)}"`
			`)`
			`.add("expires_in" -> token.expires.map(_.getSeconds - nowSeconds))`
			`)`
			`}`
			`case Validated.Invalid(err) => BadRequest(err.toJson).fuccess`
			`}`
			`case Validated.Invalid(err) => BadRequest(err.toJson).fuccess`
			`}`
			`}`
add legacy oauth redirects 2021-06-28 02:36:57 -06:00
reimplement programmatic oauth token revocation (#6629) 2021-06-22 10:43:41 -06:00			`def tokenRevoke =`
simplify token revocation 2021-06-22 11:49:18 -06:00			`Scoped() { implicit req => _ =>`
			`HTTPRequest.bearer(req) ?? { token =>`
restore auth for oauth revoke by id 2021-07-12 05:40:10 -06:00			`env.oAuth.tokenApi.revoke(token) inject NoContent`
simplify token revocation 2021-06-22 11:49:18 -06:00			`}`
reimplement programmatic oauth token revocation (#6629) 2021-06-22 10:43:41 -06:00			`}`

show list of pkce oauth clients 2021-06-19 15:49:14 -06:00			`private val revokeClientForm = Form(single("origin" -> text))`

			`def revokeClient =`
			`AuthBody { implicit ctx => me =>`
reimplement programmatic oauth token revocation (#6629) 2021-06-22 10:43:41 -06:00			`implicit def body = ctx.body`
show list of pkce oauth clients 2021-06-19 15:49:14 -06:00			`revokeClientForm`
			`.bindFromRequest()`
			`.fold(`
invalidate cached client tokens 2021-06-19 16:16:41 -06:00			`_ => BadRequest.fuccess,`
move cache directly to access token api 2021-07-03 09:03:59 -06:00			`origin => env.oAuth.tokenApi.revokeByClientOrigin(origin, me) inject NoContent`
show list of pkce oauth clients 2021-06-19 15:49:14 -06:00			`)`
			`}`
add /api/token/admin-challenge endpoint 2021-07-13 12:35:02 -06:00
			`def challengeTokens =`
			`ScopedBody(_.Web.Mod) { implicit req => me =>`
			`if (isGranted(_.ApiChallengeAdmin, me))`
			`lila.oauth.OAuthTokenForm.adminChallengeTokens`
			`.bindFromRequest()`
			`.fold(`
			`err => BadRequest(apiFormError(err)).fuccess,`
			`data =>`
			`env.oAuth.tokenApi.adminChallengeTokens(data, me).map { tokens =>`
			`JsonOk(tokens.view.mapValues(t => t.plain.secret).toMap)`
			`}`
			`)`
			`else Unauthorized(jsonError("Missing permission")).fuccess`
			`}`
start work on authorize endpoint 2021-06-14 16:05:27 -06:00			`}`